From 0abbf3b2097bd3df482897cbcdb11d2dd6b19654 Mon Sep 17 00:00:00 2001
From: James South <james_south@hotmail.com>
Date: Thu, 6 Feb 2014 17:36:13 +0000
Subject: [PATCH] Improved url security check

Former-commit-id: e6c76fcca124a5a5689440a3c8952584e93a2616
---
 src/ImageProcessor.Web/NET45/Helpers/RemoteFile.cs         | 2 +-
 .../config/imageprocessor/security.config                  | 7 +++++++
 .../Test_Website_Webforms_NET45.csproj                     | 4 +++-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/ImageProcessor.Web/NET45/Helpers/RemoteFile.cs b/src/ImageProcessor.Web/NET45/Helpers/RemoteFile.cs
index 13ce1c637..39dce8955 100644
--- a/src/ImageProcessor.Web/NET45/Helpers/RemoteFile.cs
+++ b/src/ImageProcessor.Web/NET45/Helpers/RemoteFile.cs
@@ -351,7 +351,7 @@ namespace ImageProcessor.Web.Helpers
         /// </summary>
         private void CheckSafeUrlLocation()
         {
-            bool validUrl = RemoteFileWhiteList.Any(item => item.Host.ToUpperInvariant().Equals(this.url.Host.ToUpperInvariant()));
+            bool validUrl = RemoteFileWhiteList.Any(item => this.url.Host.ToUpperInvariant().StartsWith(item.Host.ToUpperInvariant()));
 
             if (!validUrl)
             {
diff --git a/src/TestWebsites/NET45/Test_Website_NET45/config/imageprocessor/security.config b/src/TestWebsites/NET45/Test_Website_NET45/config/imageprocessor/security.config
index 8a5716290..05f9ed734 100644
--- a/src/TestWebsites/NET45/Test_Website_NET45/config/imageprocessor/security.config
+++ b/src/TestWebsites/NET45/Test_Website_NET45/config/imageprocessor/security.config
@@ -3,5 +3,12 @@
     <whiteList>
       <add url="http://images.mymovies.net"/>
       <add url="http://maps.googleapis.com" extensionLess="true" imageFormat=".png"/>
+      <add url="https://fbcdn-profile-"/>
+      <add url="http://fbcdn-profile-"/>
+      <add url="https://profile."/>
+      <add url="http://profile."/>
+      <add url="https://pbs.twimg.com"/>
+      <add url="http://pbs.twimg.com"/>
+      <add url="http://placekitten.com"/>
     </whiteList>
   </security>
diff --git a/src/TestWebsites/NET45/Test_Website_Webforms_NET45/Test_Website_Webforms_NET45.csproj b/src/TestWebsites/NET45/Test_Website_Webforms_NET45/Test_Website_Webforms_NET45.csproj
index 8ad9bff56..5084fa1e0 100644
--- a/src/TestWebsites/NET45/Test_Website_Webforms_NET45/Test_Website_Webforms_NET45.csproj
+++ b/src/TestWebsites/NET45/Test_Website_Webforms_NET45/Test_Website_Webforms_NET45.csproj
@@ -276,7 +276,9 @@
     <Content Include="Scripts\WebForms\WebParts.js" />
     <Content Include="Scripts\WebForms\WebUIValidation.js" />
     <Content Include="ViewSwitcher.ascx" />
-    <Content Include="Web.config" />
+    <Content Include="Web.config">
+      <SubType>Designer</SubType>
+    </Content>
     <Content Include="Bundle.config" />
   </ItemGroup>
   <ItemGroup>